1. NATIONAL HEALTH INFORMATION SHARING & ANALYSIS CENTER THE NATION’S HEALTHCARE & PUBLIC HEALTH SECTOR INFORMATION SHARING & ANALYSIS CENTER Information & Cybersecurity Threat & Vulnerability Protection, Best Practice & Education

2. NH-ISAC HEALTHCARE & PUBLIC HEALTH CRITICAL INFRASTRUCTURE PROTECTION EXECUTIVE OVERVIEW 1.National Critical Infrastructure and Key Resources (CIKR) Protection – Public/Private Partnership 2.Cybersecurity Overview – Threats/Vulnerabilities/Attacks 3.Protecting the Health & Public Health Sector US Department of Health & Human Services, US DHS Health Sector Coordinating Council – Government/Private Sector National Health Information Sharing & Analysis Center (NH-ISAC) 4.NH-ISAC Membership – Value Proposition Executive Overview Agenda

3. Homeland Security Presidential Directive 7 (HSPD-7) – National CIKR Protection National Infrastructure Protection Plan (NIPP) - After 9/11, 18 National Critical Infrastructures and Key Resources (CIKR) were identified for protection. Presidential Directive (HSPD-7) – Established national Policy to identify and prioritize US critical infrastructures and key resources – protecting from terrorist attacks. Recognizing that each infrastructure possessed its own unique characteristics and operating models, Sector- Specific Agencies (SSAs) were identified to develop sector CIKR protection plans. Information Sharing & Analysis Centers (ISACs) - Federal departments (US DHS, FBI, etc.) and SSAs collaborate in a public/private partnership with sector-specific ISACs to encourage sector-specific mechanisms to monitor, identify, prioritize, analyze and coordinate sector protection (physical and cyber). 1 – CIKR Protection

4. DHS Information Sharing Environment (ISE) CIKR Components Coordination & Governance / Risk Mitigation Relationship Management / Information Exchange Content Identification & Development INFORMATION SHARING & ANALYSIS CENTERS (ISACs) The definition of an ISAC is "a trusted, sector-specific entity which provides to its constituency a 24/7 Secure Operating Capability that establishes the sector’s specific information/intelligence requirements for incidents, threats and vulnerabilities (two-2ay information sharing). Based on its sector-focused subject-matter analytical expertise, the ISAC then collects, analyzes and disseminates alerts and incident reports to its membership and helps the government understand impacts for its sector.” ISAC Characteristics: Trusted Information Sharing & Analysis, Trusted Sector and Cross-Sector Relationships, Trusted Private Sector Subject Matter Experts, International Reach Protection Partnership / 2-Way Information Sharing - ISACs 1 – CIKR Protection

5. Coordinating Council Federal Sector-Specific Agency (SSA) Government Coordinating Council (GCC) Critical Infrastructure Sector Coordinating Council (SCC) Information Sharing & Analysis Center (ISAC) GCC/Government – Federal Depts. (DHS, etc.), Federal Agencies, State, City, County SCC/Private Sector - Industry, Owner/Operators, Trade Associations, Standards Organizations, Academia, etc. CIKR / SSA / Coordinating Council / ISAC – Collaborative Partnership For each National Critical Infrastructure, a Federal Sector-Specific Agency (SSA) has a Coordinating Council (Government/Private) working in a collaborative partnership with sector-specific Information Sharing & Analysis Centers (ISACs). Private Sector Critical Infrastructure & Key Resources (Owner/Operators, Industry, Academia, etc.) 1 – CIKR Protection

6. Communications ISAC (NCC), Electric Sector ISAC (IS-ISAC), Emergency Management & Response ISAC (EMR-ISAC), Financial Services, ISAC, Health ISAC (NH-ISAC), Highway ISAC (First Observer), IT ISAC NATIONAL COUNCIL OF ISACs Maritime Security Council ISAC, Multi-State ISAC, Nuclear ISAC (NEI), Public Transportation ISAC (APTA), Real Estate ISAC, Research & Education Networking ISAC (REN-ISAC), Supply Chain ISAC (SC-ISAC) Surface Transportation ISAC (ST-ISAC), Water ISAC, Chemical Sector Coordinating Council, Defense Security Information Exchange, Oil and Natural Gas Coordinating Council, Partnership for Critical Infrastructure Security, Regional Consortium Coordinating Council National Council of ISACs The mission of the Information Sharing and Analysis Centers Council (National Council of ISACs) is to advance the physical and cyber security of the critical infrastructures of North America by establishing and maintaining a framework for valuable interaction between and among the ISACs and with government. 1 – CIKR Protection

7. http://www.isaccouncil.com/ National Health ISAC (NH-ISAC) – National Council of ISACs Member 1 – CIKR Protection

8. WHAT IS INFORMATION AND CYBER SECURITY? Prevents exploitation of information either in paper-based or electronic information systems Ensures confidentiality, integrity and availability of systems and data Includes restoring electronic information and communications systems in the event of a terrorists attack or natural disaster WHAT IS CYBER INFRASTRUCTURE? Physical assets and virtual systems and networks that enable key capabilities and services in both the public and private sectors IMPORTANCE OF CYBER INFRASTRUCTURE Information technology (IT) supports three (3) types of cyber infrastructures across the various CIKR sectors 1.Business Systems – Mission essential systems that are used to manage or support common business process and operations 2.Control Systems – Cyber systems used to monitor and control sensitive processes and physical functions (SCADA, HVAC, Environment Control Systems, Lab-Based Surveillance, Healthcare – Medical Devices, Monitors, Medical Equipment, etc. ) 3.Safety, Security, Support and Other Specialty Systems – Cyber systems used to manage physical access or for alerting and notification purposes (Computerized alarm systems, electronic card readers, biometrics, radio frequency, identification (RFID), emergency alert systems, HAZMAT systems, etc. Protection of physical and cyber assets and interoperability is problematic due to the interconnected and interdependent nature of the nation’s critical infrastructures – especially the nation’s Healthcare and Public Health Sector. Cybersecurity is much more than “User Names” and “Passwords” Business Management Holds Responsibility for Security (Both Physical/Cyber)……………Technology Enables It. 2 – Cybersecurity

9. CYBER THREAT ISSUES / TRENDS Threats evolve quickly – as soon as one is identified and counter measures put in place, the threat can change or expand into new or multiple threats Hackers quickly acquire skills to launch attacks on US cyber infrastructures. Emergence of “hacker schools” online and abroad Hackers are selling their services to a wide variety of actors (criminals, terrorists, criminal organizations, nation states, disgruntled employees, contractors, etc. Anonymity of the Internet – Allows “hacker for hire services” into a complex black market Hacking techniques previously required specialized coding and programming knowledge. NOT ANY MORE – Less skilled users can now access free and commercially available hacking automated programs and tools The number of malicious hackers with the necessary skills continues to increase while the knowledge required for counter measures has decreased Cyber Threats 2 – Cybersecurity CYBER THREAT Via an information system, any circumstance or event with the potential to adversely impact organizational operations, assets (both physical and informational), individuals, other organizations, other critical infrastructures or the Nation through an information system. Cyber threats can affect and immediately impact – hospital operations to admit/treat patients, security systems, environmental controls, insurance and medical billing claims technology, electronic records and personal data, supply delivery and stockpiles, functionality of life sustaining equipment, public health data and emergency management systems.

10. CYBER VULNERABILITIES Weaknesses in physical or information systems, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. CYBER THREAT ISSUES / TRENDS Cyber vulnerabilities fall into three (3) categories: People (Employees or those external to the organization) Processes (Security Procedures) Technology (Software, Additional Programs, Shared Networks, Badging Systems, etc. IDENTIFYING VULNERABILITIES Both the U.S. Computer Emergency Readiness Team, or the US-CERT, and the Information Sharing and Analysis Centers (ISACs), help stakeholders across all sectors identify and address vulnerabilities Cyber Vulnerabilities 2 – Cybersecurity

11. Types of Cyber Attacks Physical Facilities (Unauthorized Access, Environment/Emergency/Hospital Systems Disruption) Denial of Service, Penetration Attacks, BotNET (Malicious Software Robots, Scareware ($$$ or Attack), Malicious Code, Unknown Program Installation, Database Attacks, Website Defacements, Multiple Coordinated Attacks, Wireless Network Exploits, Domain Name Server (DNS Attacks), Pirated Software/Intellectual Property, Unauthorized Access, etc. Types of Cyber Attacks Cyber Attack Categories Natural or Inadvertent Attack – Accidents from Natural Disasters Intentional Threats – Illegal or Criminal Acts (Insiders or Outsiders, Recreational/Criminal Hackers Human Blunders – Errors, Omissions, Unintentional Human Actions Hardware (Computers, Printers, Scanners, Servers, Communication Media) Software (Applications, Special Programs, System Backups, Diagnostic Programs, Operating Systems, etc. Data – In Storage (Rest), Transition (Transit) or Undergoing Modification (Change) Medical Devices – Hacking into medical devices and injecting malicious code to disrupt lifesaving devices. Smart Phone Attacks – Hacking personal information, emails, documents, applications People – Users, Systems Administrators, Hardware and Software Manufacturers, Disgruntled Employees, Unauthorized Personnel Documentation – User Information for Hardware/Software, Administrative Procedures, Policy Documents Business and Personal Social Network Attacks – Stealing information about your behavior and lifestyle 2 – Cybersecurity

12. Cybersecurity – Protecting the Healthcare & Public Health (HPH) Sector The HPH Sector is not only a domestic critical infrastructure, but a foreign one as well (i.e. supply chain dependencies, etc.) The HPH Sector is diverse with no single impenetrable security system. Attacks can impact organizational integrity, loss of business and financial systems, loss of data, medical equipment and device corruption, loss of environmental systems, facility shutdown, etc. Attacks can result in lawsuits, criminal, or regulatory compliance actions and fines for not having protective cybersecurity policies, measures and technologies in place. Measures (defined and documented plans, procedures, protective solutions/collaborative partnership) must be taken and implemented to protect technologies, processes, computer networks, equipment, facilities, and the workforce from authorized access, threats, attacks or vulnerabilities. PROTECTING THE HPH SECTOR The HPH Sector utilizes numerous technologies to provide the delivery of care and to respond to emergencies and perform surveillance. Cybersecurity is increasingly becoming more critical due to attacks to healthcare and other critical infrastructures and key resources (CIKR) sectors. 3 – Protecting the HPH Sector

13. Health Coordinating Council US Department of Health & Human Services (HHS) Health Government Coordinating Council (HGCC)Health Sector Coordinating Council (HSCC) National Health Sector Coordinating Council (HSCC) WHAT IS THE HSCC? The HSCC represents private sector interests and perspectives in the public-private effort to protect the national healthcare infrastructure. It is made up of representatives, organizations, trade associations, and professional societies who operate within the healthcare sector. The HSCC has a dual mission to meet the specific needs of owners and operators and to also inform and influence government policies and actions with regard to infrastructure protection. MISSION OF THE HSCC To serve the needs of sector owners/operators and associations (constituent customers) in regard to preparing for responding to, and recovering from both significant hazards, including natural and manmade disasters, as well as national or regional health crises. To advocate the interests of sector owner/operators and associations (constituent customers) to state and federal agencies and legislators in order to enhance government policies, plans and actions regarding infrastructure protection, preparedness, response and resilience. 3 – Protecting the HPH Sector

14. Organization of the HSCC Executive Committee or Chairs Tri-Chair Council – Encompasses a broad spectrum of leadership capabilities for the HSCC; full rotation every three (3) years Sub-Councils/Members All HSCC members fit into one of the six (6) of the following current sub-councils. Members can then be referred tom ore easily for input into working group projects or additional sectors initiatives Direct Patient HealthcareHealth Information and Medical Technology Technology Health Plans and PayersLaboratories, Blood and Pharmaceuticals Mass Fatality Management ServicesMedical Materials Coordinating Group Working Groups There are four (4) active working groups within the HSCC. Joint Advisory Working Group (JAWG)Information Sharing Working Group (ISWG) Risk Assessment Working Group (RAWG)Cybersecurity Working Group (GSWG) Each of these groups address critical issues for the sector and interests of the HSCC members resulting in best practice deliverables. 3 – Protecting the HPH Sector

15. Cybersecurity Working Group (CSWG) Directs the HPH sector’s cybersecurity analysis, education and awareness efforts, to include coordinating with other Critical Infrastructure Protection (CIP) workgroups to provide cybersecurity expertise for the sector’s risk management objectives. Helps develop and vet cybersecurity situational reports, determines best practices and makes recommendations toward cybersecurity standards for the HPH Sector. CSWG Membership – US Health Human Services (HHS) – Office of the Assistance Secretary for Preparedness and Response (ASPR), Centers for Disease Control and Prevention (CDC), Office of the National Coordinator (ONC) Department of Homeland Security – Office of Infrastructure Protection (IP), National Cybersecurity Division ( NCSD) Department of Transportation National Health Information Sharing & Analysis Center (NH-ISAC) Private Sector Stakeholders within the HSCC Telecom Companies Other: State, Local and Tribal Healthcare Partners NH-ISAC Chair, Cybersecurity Working Group Health Sector Coordinating Council (HSCC) – Cybersecurity Working Group (CSWG) 3 – Protecting the HPH Sector

16. Coordinating Council National Health ISAC US Department of Health & Human Services (HHS) Health Government Coordinating Council (HGCC)Health Sector Coordinating Council (HSCC) Private Sector Critical Infrastructure & Key Resources (Owner/Operators, Industry, Academia, etc.) 3 – Protecting the HPH Sector Healthcare & Public Health Critical Infrastructure Protection

17. NH-ISAC MISSION The mission of the NH-ISAC is to enable, ensure and preserve the public trust by advancing protection of the nation’s public health and healthcare sector’s critical infrastructure via trusted cybersecurity threat and vulnerability monitoring, analysis, notification, countermeasure solutions, incident response and to foster and enable the availability of proven security and privacy governance, security awareness and workforce education. NH-ISAC - The Nation’s Healthcare & Public Health ISAC NH-ISAC Nationally Recognized ISAC for the Nation’s Healthcare & Public Health Critical Infrastructure Member of the National Council of Information Sharing & Analysis Centers (ISACs) – Representing all critical infrastructures Member of the National Healthcare Sector Coordinating Council (HSCC) Chairs the HSCC, Cybersecurity Working Group 4 – NH-ISAC Value Proposition

18. NH-ISAC Trusted entity established and sustained by the healthcare and public health owners and operators addressing critical infrastructure protection (physical/cyber), best practice and education Helps government understand impacts for the HPH sector (policy, protection, education) Provides to its constituency a 24/7 secure operating capability (information sharing/intelligence requirements for incidents, threats and vulnerabilities) r esponding to all aspects of security and “all hazards” including cross-sector interdependencies. Collects and provides comprehensive analysis and dissemination of alerts and incident reports, actual or potential sector disruptions extensively within the HPH sector membership, across sectors and with government Support national level exercises and sector-specific exercises During events of national significance, NH-ISAC provides operation services such as risk mitigation, incident response and information sharing that protects the nation’s HPH critical infrastructure NH-ISAC empowers business resiliency through security planning, disaster response and execution. (24/7 threat warning, incident reporting capabilities critical to the success of protecting national critical infrastructures. Working together, all ISACs have a track record of responding to and sharing actionable and relevant information more quickly than DHS and doing so in an accurate manner. NH-ISAC

19. NH-ISAC Organizational Capacity 4 – NH-ISAC Value Proposition NH-ISAC National Advisory Council Membership Collaboration / Defining Voice NH-ISAC Framework Cybersecurity Research - NH-ISAC Partnership - Global Institute Cyber Security Research) Critical Information Security Notification System (NH-ISAC CISNS) Increased Sector-Wide Knowledge via Early Notifications Two-Way Information Sharing Countermeasure Solutions Secure Member Portal – In-Depth Analysis/Support National and Sector-Specific Cybersecurity Exercises Cybersecurity Best Practice Consulting Health IT Information& Cyber Security Workforce Development & Certification NH-ISAC Health IT Information Security Test Bed Audit Management Policy Management Risk Management Compliance Management Business Continuity Threat Management Incident Response Workforce Education Best Practice Research NH-ISAC Framework

20. CYBERSECURITY EDUCATION – SHAPING THE FUTURE NATIONAL INITIATIVE FOR CYBERSECURITY EDUCATION (NICE) A national campaign to promote cybersecurity awareness, workforce education and digital literacy from our boardrooms to our classrooms – building and sustaining a cybersecurity workforce for the 21 st century. This is your opportunity to have a defining voice and benefit from the resulting project education framework, curriculum, etc. http://www.nist.gov/nice Healthcare & Public Health CIKR Cybersecurity Education In collaboration with NIST, US DHS, NSA, HHS, The National Healthcare Sector Coordinating Council (HSCC), The Global Institute for Cybersecurity + Research is leading development of National Critical Infrastructure (CIKR) Cybersecurity Education Frameworks. NH-ISAC is the lead for the Healthcare & Public Health sector. 4 – NH-ISAC Value Proposition

21. NH-ISAC Membership 4 – NH-ISAC Value Proposition Who Can Join the NH-ISAC? H-ISAC Membership is open to organizations who are in the healthcare and public health sector, are a US firm or corporation and have been accepted by the NH-ISAC Board of Directors. How is the NH-ISAC Funded? The NH-ISAC is 100% funded through the ISAC membership model. How do I Join the NH-ISAC? Contact NH-ISAC directly or access the Membership Application: http://www.nh-isac.org/NH-ISAC_Membership.htmlhttp://www.nh-isac.org/NH-ISAC_Membership.html National Health ISAC (NH-ISAC) Exploration Park/Kennedy Space Center One Spaceport Way Cape Canaveral, FL 32902 Direct: 904-827-0290